Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.

If a national government wants to prevent certain kinds of Internet communication inside its borders, the costs can be extreme and success will never be more than partial. VPN and tunnel technologies will keep improving as long as there is demand, and filtering or blocking out every such technology will be a never-ending game of one-upmanship. Everyone knows and will always know that determined Internet users will find a way to get to what they want, but sometimes the symbolic message is more important than the operational results. In this article, I will describe some current and prior approaches to this problem, and also, make some recommendations doing nation-state Internet filtering in the most responsible and constructive manner.

History, Background, and SOPA

For many years, China's so-called Great Firewall has mostly stopped most law-abiding people including both citizens and visitors from accessing most of the Internet content that the Chinese government does not approve of. As a frequent visitor to China, I find it a little odd that my Verizon Wireless data roaming is implemented as a tunnel back to the USA, and is therefore unfiltered. Whereas, when I'm on a local WiFi network, I'm behind the Great Firewall, unable to access Facebook, Twitter, and so on. The downside of China's approach is that I've been slow to expand my business there — I will not break the law, and I need my employees to have access to the entire Internet.

Another example is Italy's filtering policy regarding unlicensed (non-taxpaying) online gambling, which was blocked not by a national "Great Firewall" but rather SOPA-style DNS filtering mandated for Italian ISP's. The visible result was an uptick in the use of Google DNS (8.8.8.8 and 8.8.4.4) by Italian gamblers, and if there was also an increase in gambling tax revenue, that was not widely reported. The downside here is the visible cracks in Italian society — many Italians apparently do not trust their own government. Furthermore, in 2013 the European Union ruled that this kind of filtering was a violation of EU policy.

In Turkey up until 2016, the government had similar protections in place, not about gambling but rather pornography and terrorism and anti-Islamic hate speech. The filtering was widely respected, showing that the Turkish people and their government were more closely aligned at that time than was evident during the Italian experiment. It was possible for Turkish internet users to opt-out of the government's Internet filtering regime, but such opt-out requests were uncommon. This fit the Internet's cooperation-based foundation perfectly: where interests are aligned, cooperation is possible, but where interests are not aligned, unilateral mandates are never completely effective.

In the years since the SOPA debacle in the United States, I've made it my priority to discuss with the entertainment and luxury goods industries the business and technical problems posed to them by the Internet. Away from the cameras, most executives freely admit that it's not possible to prevent determined users from reaching any part of the Internet they might seek, including so-called "pirate" sites which may even be "dedicated to infringement". I learned however that there is a class of buyers, of both music and movies and luxury goods, who are not interested in infringement per se, and who are often simply misled by "pirate" Internet sites who pretend to be legitimate. One estimate was that only 1/3rd of commercial music is bought legally, and the remaining 2/3rd is roughly divided between dedicated (1/3rd) and accidental (1/3rd) infringement. If so, then getting the accidental infringers who comprise 1/3rd of the market to buy their music legally wouldn't change the cost of music for those buyers, but could raise the music industry's revenues by 100%. We should all think of that as a "win-win-win" possibility.

Speaking for myself, I'd rather live and act within the law, respecting intellectual property rights, and using my so-called "dollar votes" to encourage more commercial art to be produced. I fought SOPA not because I believed that content somehow "wanted to be free", but because this kind of filtering will only be effective where the end-users see it as a benefit — see it, in other words, as aligned with their interests. That's why I co-invented the DNS RPZ firewall system back in 2010, which allows security policy subscribers to automatically connect to their providers in near-realtime, and to then cooperate on wide-scale filtering of DNS content based on a shared security policy. This is the technology that SOPA would have used, except, SOPA would have been widely bypassed, and where not bypassed, would have prohibited DNSSEC deployment. American Internet users are more like Italians than Turks — they don't want their government telling them what they can't do.

I think, though, that every government ought to offer this kind of DNS filtering, so that any Internet user in that country who wants to see only the subset of the Internet considered safe by their national government, can get that behavior as a service. Some users, including me, would be happy to follow such policy advice even though we'd fight against any similar policy mandate. In my case, I'd be willing to pay extra to get this kind of filtering. My nation's government invests a lot of time and money identifying illegal web sites, whether dedicated to terrorism, or infringement, or whatever. I'd like them to publish their findings in real time using an open and unencumbered protocol like DNS RPZ, so that those of us who want to avoid those varieties of bad stuff can voluntarily do so. In fact, the entertainment industry could do the same — because I don't want to be an accidental infringer either.

Future, Foreground, and Specific Approaches

While human ingenuity can sometimes seem boundless, a nation-state exerting any kind of control over Internet reachability within its borders has only three broad choices available to them.

First, the Great Firewall approach. In this scenario, the government is on-path and can witness, modify, or insert traffic directly. This is costly, both in human resources, services, equipment, electric power, and prestige. It's necessary for every in-country Internet Service Provider who wants an out-of-country connection, to work directly with government agencies or agents to ensure that real time visibility and control are among the government's powers. This may require that all Internet border crossings occur in some central location, or it may require that the government's surveillance and traffic modification capabilities be installed in multiple discrete locations. In addition to hard costs, there will be soft costs like errors and omissions which induce unexplained failures. The inevitable effects on the nation's economy must be considered, since a "Great Firewall" approach must by definition wall the country off from mainstream human ideas, with associated chilling effects on outside investment. Finally, this approach, like all access policies, can be bypassed by a determined-enough end-user who is willing to ignore the law. The "Great Firewall" approach will maximize the bypass costs, having first maximized deployment costs.

Second, a distributed announcement approach using Internet Protocol address-level firewalls. Every user and every service on the Internet has to have one or more IP addresses from which to send, or to which receive, packets to or from other Internet participants. While the user-side IP addresses tend to be migratory and temporary in nature due to mobile users or address-pool sharing, the server-side IP addresses tend to be well known, pre-announced, and predictable. If a national government can compel all of its Internet Service Providers to listen for "IP address firewall" configuration information from a government agency, and to program its own local firewalls in accordance with the government's then-current access policies, then it would have the effect of making distant (out-of-country) services deliberately unreachable by in-country users. Like all policy efforts, this can be bypassed, either by in-country (user) effort, or by out-of-country (service) provider effort, or by middle-man proxy or VPN provider effort. Bypass will be easier than in the Great Firewall approach described above, but a strong advantage of this approach is that the government does not have to be on-path, and so everyone's deployment costs are considerably lower.

Third and finally, a distributed announcement approach using IP Domain Name System (DNS-level) firewalls. Every Internet access requires at least one DNS lookup, and these lookups can be interrupted according to policy if the end-user and Internet Service Provider (ISP) are willing to cooperate on the matter. A policy based firewall operating at the DNS level can interrupt communications based on several possible criteria: either a "domain name" can be poisoned, or a "name server", or an "address result". In each case, the DNS element to be poisoned has to be discovered and advertised in advance, exactly as in the "address-level firewall" and "Great Firewall" approaches described above. However, DNS lookups are far less frequent than packet-level transmissions, and so the deployment cost of a DNS-level firewall will be far lower than for a packet-level firewall. A DNS firewall can be constructed using off the shelf "open source" software using the license-free "DNS Response Policy Zone" (DNS RPZ) technology first announced in 2010. The DNS RPZ system allows an unlimited number of DNS operators ("subscribers") to synchronize their DNS firewall policy to one or more "providers" such as national governments or industry trade associations. DNS firewalls offer the greatest ease of bypass, so much so that it's better to say that "end-user cooperation is assumed," which could be a feature rather than a bug.

Conclusion

A national government who wants to make a difference in the lived Internet experience of its citizens should consider not just the hard deployment and operational costs, but also the soft costs to the overall economy, and in prestige, and especially, what symbolic message is intended. If safety as defined by the government is to be seen as a goal it shares with its citizens and that will be implemented using methods and policies agreed to by its citizens, then ease of bypass should not be a primary consideration. Rather, ease of participation, and transparency of operation will be the most important ingredients for success.

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

what network neutrality meant in 2010 was whether or not your traffic was allowed to go through at all, and i was against it, because every distributed reputation system from the MAPS RBL of the mid-1990's through the modern day A/V and spamhaus and surbl and other systems, relies on being able to say "no". postel's maxim "be liberal in what you accept" is simply wrong on a commercial internet where people with unaligned interests can reach you.

what network neutrality means in 2017 is whether your traffic is performance-penalized or not, getting through but too slowly to be competitive, and i am for it, because last mile is once again effectively monopolized and i come from a decade where the last mile provider was not allowed to restrain third party innovation (like modems, or AOL).

it turns out that dns filtering was not actually a great tool for government censorship, as demonstrated by the italy debacle in 2013. so i was wrong to worry about that part. catch me at the bar some time and i'll tell you the story of RPZ and SOPA.

Paul, thanks for the thoughtful essay. User-selectable filtering is certainly preferable to filtering mandated by governments, monopolist ISPs, or a combination of the two. Ideally, every Internet user would be able to make an informed choice about which endpoints they want blocked, and could be aided in that task by the curator of their choice - not just governments like China or industry associations like MPAA/RIAA, but also user-aligned groups with varying constituencies. Those could be something like Adblock Plus block-list maintainers, or companies like ClearPlay that offer a service of editing the naughty bits out of films on the fly.

The problem with this approach is that it requires real, informed choice by Internet users. As many if not most people will stick with the default DNS firewall policy "provider," that provider gains a de facto power of censorship. The other danger is that widespread use of such filtering, through any of the technological approaches you mentioned, lowers the economic, political, and "prestige" costs of mandatory site-blocking, as in China. If the system is in place, it's easy to flip a switch and make it mandatory. And if any entity, whether government, NGO, or commercial, gains a critical mass of users as a filter policy provider, they will come under immense pressure from special interests to filter more and more. A voluntary system for users who want to block themselves from reaching sites that the MPAA deems "rogue" easily becomes a mandatory system that blocks websites on behalf of numerous governmental and private special interests.

While this is a global issue, Americans in particular are traditionally very wary of "a national government who wants to make a difference in the lived Internet experience of its citizens" by restricting what information they can receive, even if there are ways to bypass those restrictions. And giving those tools, and that example, to governments that manifestly do not have their citizens' best interests in mind should concern us all.

i visited the android store and searched for "dns changer" and there were dozens of free apps there. i also tested several under windows, back during the SOPA debacle. i know mac/os has ways to do this, since that's how dnssec validation worked for a while. i don't know about iOS but it seems that there has to be a non-root way to select dns servers other than those offered by your wireless provider or ISP. what this tells me is that you don't have to be at all technical in order to know you need this and to do it. this kind of dns filtering has been occurring for many years — nominum had it in their product as early as 2004, for example, and they are used by a lot of wireless providers. rpz makes the market larger but is not the only gateway to this capability.

that matters because curated filtering _works today_. opendns already has this, and google could offer it if they wanted to. there is a market for it. i've been thinking of shrinking the rDNS function down to smartphone size where all configuration is local, for example. i know that most users aren't informed, but some famous arab spring pictures of
"8.8.8.8" spray painted on concrete-block walls, and the italian online gambling debacle, show us how quickly informed choice in rDNS becomes massively multiplayer when called for.

china is currently clamping down on VPN's again, even to the point of demanding that apple remove VPN software from the iOS Store as viewed from china. successfully, i might add. i think if a government has the authority and capability to "flip a switch and make (RPZ) mandatory" that it is that switch-flipping authority and capability, and not RPZ per se or any other specific filtering capability, that enables nation-state censorship to occur. i have heard the "easily becomes" argument before, and my answer applies here as well: Notice, Takedown, Borders, and Scale.

Many in Civil Society firmly believe that the Internet not just can be or is, but should be a democratizing force. Even more people hold that democracy is a universal good. The union of those views leads to a call for political disruption, for example, to "fight" censorship even if it's the law of the land, often noting that many evils including slavery in the United States during its first century of existence, were legal at the time. I resonate to those views myself, and I call many of those who hold those views fellow travelers, or even, drinking buddies. However, and this is a big however, national sovereignty is a thing, as is the rule of law, and when we lecture others as to what's right and what's wrong we should expect some resistance, some laughter, and sometimes self-marginalization. I am a frequent polemicist for various ideologies, and I respect other such polemicists if they can be informed, relevant, respectful, polite, and professional. But none of us should pretend that anybody has to listen to us, especially nation-state governments.

All of this should sound to you like rationalization, if you think I'm making money from DNS Firewalls with RPZ. It should seem like I was trying to improve my business conditions, so as to sell more product, except that we (my co-inventor Vernon Schryver and I) made the technology completely open and unencumbered, implementable and operable by all, without license or royalty. We weren't working for any government when we put this stuff out there and encouraged wide adoption. We simply considered that the known good of giving malicious DNS content differential (that is to say, worse) service, outweighed the unknown bad of some DNS operator or their national government getting away with censorship because their local users didn't yet know how easy it was to switch DNS providers.

I pushed DNS Firewalls with RPZ at exactly the time that SOPA was being fought, knowing as I did so that the law of my land might shortly require (and, it was a near thing!) its use. That is how much confidence I have in the end-user cooperation assumed by and required for DNS filtering.

Related

The chart here ought to be in every basic undergraduate textbook on packet networking and distributed computing. That it is absent says much about our technical maturity level as an industry. But before we look at what it means, let's go back to some basics. When you deliver a utility service like water or gas, there's a unit for metering its supply. The electricity wattage consumed by a room is the sum of the wattage of the individual appliances. more

There is an urgent need to clarify the GDPR's territorial scope. Of the many changes the GDPR will usher in this May, the expansion of EU privacy law's territorial scope is one of the most important. The GDPR provides for broad application of its provisions both within the EU and globally. But the fact that the GDPR has a broad territorial scope does not mean that every company, or all data processing activities, are subject to it. more

As discussed in previous analyses, the arrival of 5G will trigger a totally new development in telecommunications. Not just in relation to better broadband services on mobile phones - it will also generate opportunities for a range of IoT (internet of things) developments that among other projects are grouped together under smart cities (feel free to read 'digital' or 'connected cities'). more

The Cuba Internet Task Force (CITF) held their inaugural meeting last week. Deputy Assistant Secretary for Western Hemisphere Affairs John S. Creamer will chair the CITF, and there are government representatives from the Department of State, Office of Cuba Broadcasting, Federal Communications Commission, National Telecommunications and Information Administration and Agency for International Development. Freedom House will represent NGOs and the Information Technology Industry Council will represent the IT industry. more

Software-Defined Networking (SDN) and Network Functions Virtualization (NFV) are finally starting to pick up momentum. In the process, it is becoming clear that they are not the silver bullet originally advertised to be. While great for some use cases, emerging technologies like SDN and NFV have been primarily designed for virtual greenfield environments. Yet large service providers continue to run tons of physical network devices that are still managed manually. more

The Silicon Flatirons Conference on Regulating Computing and Code is taking place in Boulder. The annual conference addresses a range of issues at the intersection of technology and policy and provides an excellent look ahead to the tech policy issues on the horizon, particularly in telecommunications. I was looking forward to yesterday's panel on "The Triumph of Software and Software-Defined Networks", which had some good discussion on the ongoing problem surrounding security and privacy of the Internet of Things (IoT)... more

The release of the Tillerson letter to the House Committee on Foreign Affairs describes the State Department's new "Cyber Bureau" together with its "primary lines of effort." The proposal is said to be designed to "lead high-level diplomatic engagements around the world." Two of those "efforts" deserve special note and provide an entirely new spin on the affectionate local term for the Department -- Foggy Bottom. more

These days in Washington, even the most absurd proposals become the new normal. The announcement yesterday of a new U.S. State Department Cyberspace Bureau is yet another example of setting the nation up as an isolated, belligerent actor on the world stage. In some ways, the reorganization almost seems like a companion to last week's proposal to take over the nation's 5G infrastructure. Most disturbingly, it transforms U.S. diplomacy assets from multilateral cooperation to becoming the world's bilateral cyber-bully nation. more

With GDPR coming into effect this May, it is almost a forgone conclusion that WHOIS as we know it today, will change. Without knowing the full details, how can companies begin to prepare? First and foremost, ensuring that brand protection, security and compliance departments are aware that a change to WHOIS access is on the horizon is an important first step. Just knowing that the ability to uncover domain ownership information is likely to change in the future will help to relieve some of the angst that is likely to occur. more

It is interesting to observe the changes in the telecommunications environment over the last few decades. Before videotex (the predecessor of the internet) arrived in the late 1970s early 1980s, 90% of telecommunications revolved around telephone calls. And at that time telephony was still a luxury for many, as making calls were expensive. I remember that in 1972 a telephone call between London and Amsterdam cost one pound per minute. Local telephone calls were timed... more

The Caribbean suffered six major storms in 2017, including the record-breaking Category 5 hurricanes Irma and Maria. In the unprecedented destruction, the islands of Dominica and Barbuda lost all communication and telecommunications service, and eight other Caribbean countries were severely disrupted. Each hurricane season wreaks greater devastation than the last, yet decreased telecommunications competition, inadequate regulation, and high national debt burdens in the region yield ever-diminishing infrastructural investment. more

Unicode's goal, which it meets quite well, is that whatever text you want to represent in whatever language, dead or alive, Unicode can represent the characters or symbols it uses. Any computer with a set of Unicode typefaces and suitable layout software can display that text. In effect, Unicode is primarily a typesetting language. Over in the domain name system, we also use Unicode to represent non-ASCII identifiers. That turns out to be a problem because an identifier needs a unique form, something that doesn't matter for typesetting. more

To put it bluntly, the proposal cited in Axios story on "Trump team considers nationalizing 5G network" doesn't make sense on a number of levels. The real danger comes if this indeed represents the NSC's failure to understand Internet style connectivity. The proposal may just be the work of an NSC staffer who accepted all the 5G hype as if it were real. I credit the Axios article for having some skepticism... more

President Obama began working on Cuban rapprochement during his 2009 presidential campaign. After over five years of thought and negotiation, the Whitehouse announced a major shift in Cuba policy, which included allowing telecommunications providers "to establish the necessary mechanisms, including infrastructure, in Cuba to provide commercial telecommunications and Internet services, which will improve telecommunications between the United States and Cuba." more

This seemed to be the reaction this morning worldwide to the leaked alleged PowerPoint slides detailing the White House strategic options for a U.S. national 5G infrastructure. The gist of the slides has apparently been confirmed to Reuters by unnamed "Trump security team members." The options apparently range between creating a U.S. Ministry of 5G resembling the old world of government Post, Telegraph and Telecommunication (PTT) agencies of bygone years, and sawing off the U.S. ICT infrastructures and services from the rest of the world. more

Promoted Post

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.

Avenue4 LLCRead4522

A World-Renowned Source for Internet Developments. Serving Since 2002.